TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Critical Vuln.: PrintNightmare Exposes Windows Servers to RCE | Huntress

2021-06-30 · Read original ↗

ATT&CK techniques detected

9 predictions
T1222.001Windows Permissions
92%
"malicious dll. to remove the acl via powershell deployment ( shoutout and kudos to community member u / bclimer in our reddit thread ) : $ path = " c : \ windows \ system32 \ spool \ drivers " $ acl = get - acl $ path $ newrule = new - object system. security. accesscontrol. file…"
T1547.012Print Processors
89%
"and may have difficulty enabling them site - wide. if you cannot readily enable that logging, another option is to look for the use of imageload ( event id 7 ) with the ` spoolsv. exe ` process. researchers have shared sigma rules to help detect this. microsoft has shared previou…"
T1547.012Print Processors
84%
"##pm et : included another option for temporary mitigation without hindering printing functionality from the print spooler service. update july 01 @ 9 : 14am et : updated to better reflect guidance from our reddit post with new intel. update july 02 @ 8 : 48am et : updated to inc…"
T1068Exploitation for Privilege Escalation
76%
"does look to prevent remote code execution, but not yet covers privilege escalation. according to microsoft ' s latest updates on july 6, " updates are not yet available for windows 10 version 1607, windows server 2016, or windows server 2012. security updates for these versions …"
T1068Exploitation for Privilege Escalation
72%
"critical vuln. : printnightmare exposes windows servers to rce | huntress on june 29, huntress was made aware of cve - 2021 - 1675 ( now termed cve - 2021 - 34527 ), a critical remote code execution and local privilege escalation vulnerability dubbed “ printnightmare. ” microsoft…"
T1210Exploitation of Remote Services
72%
"##thub ( python, c + + ). our team has reviewed the source code for each and confirmed both successfully exploit server 2016 and server 2019 systems. we haven ' t experimented on all windows operating systems, but microsoft ' s cve announcement states windows 7, 8, 8. 1, 10 and s…"
T1547.012Print Processors
67%
"emails, like for payroll purposes or other use cases. if disabling the print spooler service is appropriate for your organization, you can do this on a single machine with a few powershell commands : stop - service - name spooler - force set - service - name spooler - startuptype…"
T1068Exploitation for Privilege Escalation
62%
"and immediately gain administrator or system level rights to fully own the machine. - remote code execution means that this attack vector can be weaponized externally, from one separate computer to another. not only does this offer an option for initial access — it readily enable…"
T1068Exploitation for Privilege Escalation
41%
"##pm et : included another option for temporary mitigation without hindering printing functionality from the print spooler service. update july 01 @ 9 : 14am et : updated to better reflect guidance from our reddit post with new intel. update july 02 @ 8 : 48am et : updated to inc…"

Summary

Huntress is aware of PrintNightmare, a critical RCE and local privilege escalation vulnerability. This serious security flaw affects many Windows servers.